nspawn: Drop CAP_NET_BIND_SERVICE if in userns with identity mapping

Even if there's no uid shift, we still won't be able to bind to privileged
ports in the host network namespace, so drop the capability regardless of
whether we have a uid shift or not.

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 1142bc574588d9ee56bc92c73ba3713a33902c94..ab8746c442b26d62de0baebdf871c1a856ef2386 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -5950,7 +5950,7 @@ static int run(int argc, char *argv[]) {
         /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
          * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
          * indicate that. */
-        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
+        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO)
                 arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
 
         r = verify_arguments();